Internet and the soft side of the law

As far as I can remember, multinational corporations have always existed and some names flow immediately from my memory: I remember my Kodak camera, my father’s Remington Rand’s typewriters (I played with them in his office when I was a kid), not to mention the Coca Cola, Sony, Bayern and all the other names and brands each of us has learned to know from way back then.

One of them, a US-based corporation, was my employer for many years. It sold hardware, software, and services around the world. Our task, as lawyers was to make sure that in doing business our company did non brake the laws of our country. In other word, when IBM (the company I worked for) wanted to sell a product in any given country, it had to comply with the laws of that country.

That’s nothing new nor grand nor it has gone out of fashion. If Apple wants to sell its Ipad’s in Europe or in any other part of the world, it has to make sure its products meet the law, just as BMW has to do if it wants to sell its cars in the US: they have to comply with emission standards, safety regulations, etc. In essence, any company selling any kind of physical product has to make sure that its products meet the statutory requirements and comply with the laws of the country where it wants to sell them. If one looks at this way of conducting business from an organizational point of view, it was and it remains a very simple business model: if you want to address one geographical market, make sure the products you sell in that market comply with the law. This is the world as we know it.

Well, in these days I’m not so sure any more that this is still the world as we know it.

In these days of Internet this business model seems to have quickly gone out of fashion. As we all know, most of the names that count in the Internet are relatively newcomers (many of them hardly existed 15 years ago). When they set out their business, they had two big tasks: they had to organize an infrastructure that could be accessed world-wide, while at the same time taking care of doing business world wide. If they had followed the approach described above, this would have meant an additional task: making sure anything they would have done all over the world was legal. This would have required the establishment of a significant legal organization to tackle the issue of compliance with the laws of the many countries they would have operated, not an easy task by any standards. So someone came out with the BIG IDEA: if I do business all around the world but keep my corporate offices here (here being wherever any particular company had its main office) and if I am careful enough to act in a way so that I shall not create jurisdiction in any country other than the Santa Clara County, then we’re all set. This proposition was immediately bought: it would have helped to save money and time, avoiding the risk of facing unknown legal issues in those funny jurisdiction around the world like Europe (by the way, where’s Europe?) and the hassle of coping with 40 or 50 different legislations. So Internet companies continued to hire engineers, not lawyers. Engineers are much better people than lawyers, as everyone knows, and is so much better to keep an organization slim, no-fuzz no-thrills and most of all no lawyers!

The old business model collapsed in a blink of an eye. One still wonders why the IBM’s and Apple’s of this world bother with local laws. That’s yet to be understood; apparently they are doing just fine and their old-fashioned business model hasn’t kept them from growing, but that’s a different story.

The evidence of what I just briefly described can be easily found by simply paying a visit to any of the following companies and their web sites: Google, Facebook and My Space. I mention these three Internet companies for two reasons: (a) their have an established world-wide reputation and (b) I am somewhat familiar to their activity. (In all fairness I have to say that I’m sure that the number of companies doing business in this fashion is not limited to these three and that they come from any country in the world, not just the USA). All of these three companies collect, store and process personal data of their users in ways, numbers and to extent never known before. All of these companies have local sites (i.e. sites in French, German, Italian, Spanish, etc): there is an Italian version of Facebook and there is an Italian version of My Space; not only there is an Italian version of a Google, but an Italian company has been established in Milano by the name of Google Italy (oh, by the way: the company’s name on the official companies’ registrar is actually Google Italy, not Google Italia. Probably they didn’t even know what Italia meant or where Italia was!).

Yet, none of these companies would even consider applying the European directive on data protection, leave alone local data privacy law. If you write to the local Google subsidiary and ask them (for any legitimate reason) to remove some funny things from their listing, their answer is: sorry, we cannot do nothing, it all is under US management. So you try to be a good boy and write to Google Inc, 1600 Amphitheatre Parkway, Mountain View, California, 94043, and wait. You get no answer. So you write again (maybe the first letter went lost, it’s such a long way from here to Mountain View). No answer, again. You try for the third time, but you already know what’s going to happen: no answer again. Now that’s very irritating, but don’t take it personally; the reason why they act like this is very simple: first of all they’re sending the whole world a very clear message: want to get me? Come here in California, if you can (that’ll teach all you troublemakers from all over the world a lesson)! And, if they were to answer, the fear is that this could lead to the establishment of jurisdiction in another country.

When MySpace opened its Italian version, they sent their users a lot of ads and material on the Italian version of their site, along with a notice which more or less said: we know very well that in Italy there is a law on protection of personal data: ok guys, forget about it, because our servers are in the US, so we’re so sorry but don’t pretend to apply to us your silly law.

Last but not least: the bizarre opinions of young Zuckerberg on the privacy of its users’ personal data are well know and need no additional comments.

Now, when this issue was briefly debated in a panel discussion following the Court of Milano’s decision on the Google case (three Google executives found guilty of violating Italian data protection law), someone made the point that it is not ethical to do business in a country while at the same time trying to avoid to comply with the laws of that country. But the whole point is not whether this is ethical or not, the whole point is: is it legal? Is it possible for a multinational corporation to do business in a country, make money and profit in that country, have a local subsidiary which has employees in its payroll and yet try to avoid to apply its laws?

Well, my submission is that this is not possible, in fact is against the legal principles set in case laws on this very matter. In strict legal terms, this way of doing business, (address one market but avoid to comply with its laws and keep jurisdiction in another) is what Internet is all about and the first ones to say this is not legal were, of course, US Courts.

In 1997 the case of Minnesota vs Granite Gate resorts was decided by the District Court of the State of Minnesota and later by the Court of Appeal. The facts are plain: the defendants had uploaded on a server (that apparently was located outside of Minnesota) a web site named “Wagernet”. The site advertised and solicited the reader’s participation in gambling available in the Caribbean island of Belize. After submitting an application and establishing an account by sending at least $1000 to Belize, the Minnesota resident received hardware which permitted her/him, via modem, to place bets on sporting events.

The Court of Appeal held that the Defendants should have been subject to the jurisdiction of the State of Minnesota because, by means of their Internet activity, they had “availed themselves of the privilege of doing business in Minnesota”. (568 N.W. 2d 715, Court File No. c6-95-7227 (State of Minn. Dist. Crt., Ramsey County, Dec. 11, 1996) aff’d 576 N.W. 2d 747, No. C6-97-89 (Minn. Ct. App., Sept. 5, 1997). This activity, found the Court, was developed and conducted on purpose: they contacted Minnesota resident, they had advertised to Minnesota residents, etc, hence, there was no way to escape the jurisdiction of the State of Minnesota.

Probably the landmark case was the Zippo case, where the Court used what has been dubbed as “the sliding scale approach”. In this decision in order to evaluate the possibility to establish jurisdiction the court used some simple evaluation criteria: on one hand of the scale there are web sites that can be defined as strictly passive in nature, i.e. sites that only display information to users. On the other hand of the spectrum there are the sites where (the defendant) “enters into contract with resident of a foreign jurisdiction that involve the knowing and repeated transmission of computer files over the internet”, thus “clearly” conducting business and addressing a specific jurisdiction. A defendant acting in this fashion, i.e. repeatedly conducting and soliciting business in a given state would generally be subject to personal jurisdiction in the courts of that state: (Zippo Manufacturing Co. vs Zippo Dot Com, Inc; 952 F. Supp. 1119 (W.D. Pa. 1997).

These two cases I just mentioned (plus all the many others that have dealt with this issue) are no secret: any lawyer who has had to face the issues of jurisdiction over the Internet knows perfectly all the cases where the “passive vs interactive” test has been the basis for the courts to assert jurisdiction. These cases have not been decided in remote jurisdictions either, they have been decided by US Courts, but the legal essence of these decisions is constantly ignored in the day-to-day operations of all the companies that are doing business in this fashion. Therefore the point is: when will the Internet world comply with the law? When will these companies come to term with the standards of law set by non other than US Courts? If Internet has to continue to expand, this is an issue that must be addressed with determination, and quickly.

On top of this it seems to me that there is a very compelling argument for these companies to change this way of doing business, one that emerges quite strongly from recent past. Lets take Google: if one looks at the sheer number of court cases that Google has faced and is facing in all jurisdiction, one cannot but wonder whether a different approach would had made a difference and would have helped to avoid so much legal trouble. Google has been and is still fighting all over the world cases on alleged violations of copyright laws, privacy laws, European competition law, you name it! Of course, all other things being the same, it is impossible to know if a different approach and more attention to legal compliance would have made a difference, but certainly at this point the management of these companies has to make a choice and decide if staying on this same course or change. For the time being, it seems that the main payoff has been to hire engineers instead of lawyer only to pay higher fees to outside counsel around the world.